MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
🔗 CVE IDs covered (1)
📋 Description
Summary
InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>().
Other hash-based collection formatters use the security-aware comparer when MessagePackSecurity.UntrustedData is configured. This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture.
Impact
Applications are affected when they deserialize untrusted payloads into schemas containing ILookup<TKey,TElement> with a key type for which attacker-controlled hash collisions are feasible.
Under the default comparer, many colliding keys can degrade dictionary insertion from amortized constant time to quadratic behavior. A payload of colliding keys can consume CPU for a disproportionate amount of time. This bypasses the mitigation that developers intentionally enabled by using MessagePackSecurity.UntrustedData.
Affected components
- Package:
MessagePack - API:
InterfaceLookupFormatter<TKey,TElement>.Create - Data type:
ILookup<TKey,TElement> - Finding ID:
MESSAGEPACKCSHARP-041
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should create the internal dictionary with options.Security.GetEqualityComparer<TKey>(), matching the sibling dictionary and lookup formatter behavior.
Workarounds
Patching is recommended.
Until a patched version is available, avoid exposing ILookup<TKey,TElement> in DTOs that deserialize untrusted data. Use collection shapes that are already protected by the security-aware comparer path, or validate and cap collection sizes at the transport boundary.
Resources
MESSAGEPACKCSHARP-041:InterfaceLookupFormattermissing security comparer- CWE-407: Inefficient Algorithmic Complexity
🎯 Affected products2
- nuget/MessagePack:< 2.5.301
- nuget/MessagePack:>= 3.0, < 3.1.7